New legislation introduced July 15 by Rep. Eric Swalwell, D-California, seeks to mandate penetration testing and other proactive cyber defense measures for certain federal agency networks, and give the National Director of Cyberspace ( NCD) the power to eliminate potential conflicts between agencies with overlapping cybersecurity missions.
The Proactive Cyber Initiatives Act 2022said Rep. Swalwell’s office, is a “bill that invests in innovative cybersecurity methods to ensure we patch cyber vulnerabilities before our adversaries do.”
Among other provisions, the bill:
- Mandate penetration testing for “moderate to high risk government systems” and provide agencies with recommendations on authorities and resources needed;
- Give the NCD the power to “address conflicting risks between agencies with overlapping cyber jurisdiction”;
- Require federal agencies to “report on proactive cyber methods such as deception technologies, ongoing monitoring, and proportionate action taken in response to an unlawful breach”; and
- Require new recommendations on cyber risk mitigation.
The bill’s call for penetration testing of federal agencies’ network defenses follows pending Senate and House legislation to make major reforms to the federal Security Management Act of 2014. information (FISMA), and with the oft-expressed wishes of Federal CISO Chris DeRusha. Speaking about goals related to FISMA reform last year, DeRusha said, “Our goal is to move from untested security to tested security…. it won’t be easy and it will be a bit of a transition.
“Cybercrime increasingly endangers American families, businesses and government agencies,” Rep. Swalwell said when he introduced the new bill.
“For too long, we’ve only addressed vulnerabilities after a breach has occurred,” he said. “My bill emphasizes a more proactive and innovative plan to protect our most critical infrastructure.”
And he defined the scale of the problem as nothing less than terrible. “The United States is desperately losing the cybersecurity battle against other nations,” the congressman’s office said.
“In 2018, FBI cybercrime agents determined that every American should expect their personal information to be stolen by criminals and on the dark web already,” his office said. “This is largely because most current cybersecurity practices are defensive, typically only patching vulnerabilities after they have been exploited. More resources and new initiatives are needed to strengthen our cyber posture. federal government penetration testing to fix vulnerabilities internally, using deception techniques to trap bad actors and study their behaviors, and engaging in ongoing monitoring to test our systems against millions of separate entries.